OpenLDAP
Install OpenLDAP
Install OpenLDAP
# apt-get install slapd
You will be prompted for an administrative password. This will be the LDAP administrator password and will be used anywhere that write permission to LDAP is required. This will get set again in the next step when we reconfigure OpenLDAP.
Reconfigure OpenLDAP
Debian's default configuration for OpenLDAP is sometimes not quite what you might want. If you want to use an LDAP base DN based off something other than the domain name used when configuring the host you will need to reconfigure the package.
# dpkg-reconfigure slapd
The reconfiguration script will allow you to change the LDAP base DN to be based on a different domain name. For example, "myhub.org" would become "dc=myhub,dc=org".
The reconfiguration script will then ask for the organization to use. This isn't important to us and can be set arbitrarily.
You will then be asked to enter a password for the admin account. You will need to remember this password for later configuration steps.
Accept the default "HDB" database backend type.
Do not remove database when slapd is purged. Sometimes during maintenance it can be useful to reinstall slapd without wiping out the database.
Move the old database out of the way.
Don't allow LDAPv2 protocol.
Install nscd
The Name Service Cache (nscd) will used later so we go ahead and install it here.
# apt-get install nscd
Install HUBzero LDAP Schema
# apt-get install hubzero-openldapTo enable this new schema edit /etc/ldap/slapd.conf and add the following line as the last "include" statue under the "Schema and objectClass definitions" comment toward the beginning of the file.
include /etc/ldap/schema/hub.schemaThen restart OpenLDAP
# /etc/init.d/slapd restart
Initialize OpenLDAP Database
Several entries are expected to be prepopulated in OpenLDAP.
There is a script to do this, but the script has to be manually configured.
# cp /usr/lib/hubzero/openldap/HUB-INIT-SLAPD.tmpl HUB-INIT-SLAPDModify HUB-INIT-SLAPD and edit the five configuration lines near the beginning of the file:
base_dn="" admin_pass="" hubadmin_passhash="" hubrepo_passhash="" home_dir=""
- base_dn should be the base DN of your LDAP (e.g., "dc=myhub,dc=org")
- admin_pass should be the clear text password you set for the LDAP administrator.
- hubadmin_passhash should be the hashed password for the about to be created hubadmin account. You can hash a password using '/usr/sbin/slappasswd'
- hubrepo_passhash should be the hashed password for the about to be created hubrepo account. You can hash a password using '/usr/sbin/slappasswd'
- home_dir should be the home directoy you created earlier (eg., "/home/myhub").
# sh ./HUB-INIT-SLAPDThis should prepopulate the databae enough to bootstrap HUBzero.
Configure PAM to use LDAP
# apt-get install libpam-ldap
- Use "ldap://127.0.0.1" as the URI
- Set the base DN to match how you configured OpenLDAP (eg., "dc=myhub,dc=org")
- Use LDAP v3
- Accept making local root data admin
- LDAP does not require login
- Specify the DN for the LDAP admin user (eg., "cn=admin,dc=myhub,dc=org")
- Enter admin password for LDAP
Modify /etc/pam.d/common-auth by commenting out the existing configuration then adding rules to allow authentication against LDAP.
#auth required pam_unix.so nullok_secure auth sufficient pam_unix.so nullok_secure auth sufficient pam_ldap.so try_first_pass auth required pam_deny.soModify /etc/pam_ldap.conf by adding the following section (other mappings in this file should already be commented out).
# HUBzero Mappings
nss_base_passwd ou=users,?one
nss_base_shadow ou=users,?one?host=web
pam_filter host=web
pam_password crypt
nss_map_attribute uniqueMember member
nss_base_group ou=groups,dc=myhub,dc=org?sub
Be sure the BASEDN in the above matches that used by your configuration.
/etc/pam_ldap.secret contains the LDAP admin password and should only be readable by root.
Configure NSS to use OpenLDAP
# apt-get install libnss-ldap
- Specify the DN for the ldap admin account
- Specify the password for the ldap admin account
# HUBzero Mappings
nss_base_passwd ou=users,?one
nss_base_shadow ou=users,?one?host=web
pam_filter host=web
pam_password crypt
nss_map_attribute uniqueMember member
nss_base_group ou=groups,dc=myhub,dc=org?sub
Be sure the BASEDN in the above matches that used by your configuration.
Modify /etc/nsswitch.confpasswd: compat ldap group: compat ldap shadow: compat ldap
/etc/libnss-ldap.secret contains the LDAP admin password and should only be readable by root.
Test
# getent passwdTo test configuration. You should see entries for users 'hubrepo' and 'apps' toward the end of the list if everything is working correctly.
Troubleshooting
If you have a problem with the system apparently not recognizing up to date account or group information (eg., in the next section some people report receiving an error about unknown username 'hubadmin') you can nscd to flush it data cache and restart using the following commands:
# nscd -i passwd # nscd -i group # /etc/init.d/nscd restart # getent passwd
If you still don't see the hubadmin account listed then re-read the instructions and check your work very carefully. These instructions assume a fresh install, if you are working with an existing LDAP/PAM/NSS installation you will have to do more advanced troubleshooting outside the scope of this documentation.
Create home directories
Create a home directory for the apps user
# mkdir /home/myhub/apps # chown apps.public /home/myhub/apps # chmod 0700 /home/myhub/apps